Facebook has fixed a critical flaw in the Facebook Messenger for Android messaging app. Natalie Silvanovich of Google’s Project Zero reported the bug to the Facebook bug bounty program. The bug could have allowed a sophisticated attacker logged in on Messenger for Android to simultaneously initiate a call and send an unintended message type to someone logged in on Messenger for Android and another Messenger client (i.e. web browser).
It would then trigger a scenario where, while the device is ringing, the caller would begin receiving audio either until the person being called answers or the call times out. To exploit this issue, an attacker would have to already have the permissions to call this particular person by passing certain eligibility checks (e.g. being friends on Facebook). They’d also need to use reverse engineering tools to manipulate their own Messenger application to force it to send a custom message.
After fixing the reported bug server-side, Facebook security researchers applied additional protections against this issue across their apps that use the same protocol for 1:1 calling. According to Facebook, this report is among the three highest bug bounties at $60,000, which reflects its maximum potential impact.
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains this isn’t the first time we’ve seen an attack like this. He says, "Just last year, it was reported that an attacker could inject commercial spyware into a device via unanswered WhatsApp calls. Attackers will find creative ways to bypass the native security measures built into apps and devices in order to discreetly compromise the device.
"This vulnerability in particular could be used to execute a highly effective spying campaign on targeted individuals. It’s a cheap and easy way to be able to eavesdrop on certain individuals. It’s another example of how attackers can leverage personal applications on mobile devices to steal corporate information. This is unique because it doesn’t require any direct interaction with the target and no malware needs to be installed.
"Mobile devices are the key to productivity, so cybercriminals have been increasingly exploiting mobile vulnerabilities on outdated apps and OS versions to initiate their attack. If a user is running an out-of-date version of Facebook Messenger moving forward, they could unintentionally expose sensitive information to attackers. It’s absolutely necessary to understand what mobile apps are running on your employee mobile devices, especially if you allow them to use personal devices to access corporate data. Out-of-date apps could put you out of alignment with compliance standards to cause unintentional data leakage," says Schless.
